From 7667f1b9e3c15b4c1181f0986dbf9385fa253f35 Mon Sep 17 00:00:00 2001
From: Matt Corallo <git@bluematt.me>
Date: Sun, 14 Apr 2024 16:41:54 +0000
Subject: [PATCH] Filter using `VerifiedRRStream::resolve_name` in wasm

When resolving a name in WASM we should let `resolve_name` handle
C/DNAMEs, which we do here.
---
 wasmpack/doh_lookup.js |  2 +-
 wasmpack/src/lib.rs    | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/wasmpack/doh_lookup.js b/wasmpack/doh_lookup.js
index 17c5bbf..fec246c 100644
--- a/wasmpack/doh_lookup.js
+++ b/wasmpack/doh_lookup.js
@@ -46,7 +46,7 @@ export async function lookup_doh(domain, ty, doh_endpoint) {
 				} else if (queries_pending == 0) {
 					var proof = wasm.get_unverified_proof(builder);
 					if (proof != null) {
-						var result = wasm.verify_byte_stream(proof);
+						var result = wasm.verify_byte_stream(proof, domain);
 						return JSON.stringify(JSON.parse(result), null, 1);
 					} else {
 						return "{\"error\":\"Failed to build proof\"}";
diff --git a/wasmpack/src/lib.rs b/wasmpack/src/lib.rs
index 57fe0a0..75ca16c 100644
--- a/wasmpack/src/lib.rs
+++ b/wasmpack/src/lib.rs
@@ -2,6 +2,7 @@
 
 use dnssec_prover::ser::parse_rr_stream;
 use dnssec_prover::validation::{verify_rr_stream, ValidationError};
+use dnssec_prover::rr::Name;
 use dnssec_prover::query::{ProofBuilder, QueryBuf};
 
 use wasm_bindgen::prelude::wasm_bindgen;
@@ -72,23 +73,29 @@ pub fn get_unverified_proof(proof_builder: WASMProofBuilder) -> Option<Vec<u8>>
 }
 
 #[wasm_bindgen]
-/// Verifies an RFC 9102-formatted proof and returns the [`VerifiedRRStream`] in JSON form.
-pub fn verify_byte_stream(stream: Vec<u8>) -> String {
-	match do_verify_byte_stream(stream) {
+/// Verifies an RFC 9102-formatted proof and returns verified records matching the given name
+/// (resolving any C/DNAMEs as required).
+pub fn verify_byte_stream(stream: Vec<u8>, name_to_resolve: String) -> String {
+	let name = match Name::try_from(name_to_resolve) {
+		Ok(name) => name,
+		Err(()) => return "{\"error\":\"Bad name to resolve\"}".to_string(),
+	};
+	match do_verify_byte_stream(stream, name) {
 		Ok(r) => r,
 		Err(e) => format!("{{\"error\":\"{:?}\"}}", e),
 	}
 }
 
-fn do_verify_byte_stream(stream: Vec<u8>) -> Result<String, ValidationError> {
+fn do_verify_byte_stream(stream: Vec<u8>, name_to_resolve: Name) -> Result<String, ValidationError> {
 	let rrs = parse_rr_stream(&stream).map_err(|()| ValidationError::Invalid)?;
 	let verified_rrs = verify_rr_stream(&rrs)?;
+	let resolved_rrs = verified_rrs.resolve_name(&name_to_resolve);
 	let mut resp = String::new();
 	write!(&mut resp, "{}",
 		format_args!("{{\"valid_from\": {}, \"expires\": {}, \"max_cache_ttl\": {}, \"verified_rrs\": [",
 		verified_rrs.valid_from, verified_rrs.expires, verified_rrs.max_cache_ttl)
 	).expect("Write to a String shouldn't fail");
-	for (idx, rr) in verified_rrs.verified_rrs.iter().enumerate() {
+	for (idx, rr) in resolved_rrs.iter().enumerate() {
 		write!(&mut resp, "{}{}", if idx != 0 { ", " } else { "" }, rr.json())
 			.expect("Write to a String shouldn't fail");
 	}
-- 
2.39.5